Assessment reportsPublic findings
Back to Zellic site
Assessment reports>WOOFI Stake>Threat Model>claimRewards
GeneralOverview
Findings
Critical (1)
Medium (2)
Low (1)
DiscussionInstant withdraw cap can be bypassedSimilarities to ERC-4626 first-deposit issueSlippage check not performed during compoundReward function
Threat ModelWhat are threat models?BaseStrategy.solStrategyAave.solVaultV2.solWooLendingManager.solWooStakingCompounder.solWooStakingController.solWooStakingLocal.sol
WooStakingManager.solclaimRewardsclaimRewardscompoundAllcompoundAllForUserscompoundMPcompoundRewardssetAutoCompoundstakeWoounstakeWoo
WooStakingProxy.solWooSuperChargerVaultV2.solWooWithdrawManagerV2.sol
Audit ResultsAssessment Results

Function: claimRewards()

This manually claims rewards for the sender. Cannot be used if autocompounding is enabled.

Branches and code coverage

Intended branches

  • Called by staker with autocompounding disabled.

Negative behavior

  • Called by staker with autocompounding enabled.

Zellic © 2025Back to top ↑